Securing Your Connection On Freenode

Freenode offers a couple wonderful services to any IRC user that I'm afraid many just know about. They outline it very well on their website, but I'm afraid that many an IRC user aren't taking advantage of them. As such, seeing as though my blog syndicates a couple planets, hopefully I will reach a broad readership who use IRC, and hopefully, I will be able to convince those readers to take advantage of these services.

First, a Freenode cloak and what a it is. When you connect to an IRC server, the server looks up your hostname, and if the servers are in round robin DNS, a server with the least load and shortest ping times is chosen. When connected, your nick, coupled with your hostname, provide a unique identifier for your connection. The only problem is, unless cloaked, anyone can see your hostname, and create a DoS attack on you personally. While rare, and isolated incidents, the exposure makes you vulnerable. Freenode cloaks solve this issue.

What is a cloak? A cloak hides your hostmak, which contains your IP address and/or domain name, keeping others from seeing where your IRC session is connected, and keeping you effectively secure from outside DoS attacks. For example, when you join a channel, your hostmask is displayed as follows:

21:25 -!- lamer [n=user@222.14.84.1] has joined #ubuntu

Here we can plainly see the user "lamer" and his IP address. While that might not be the IP address that he is located at, but rather just his IRC session, he is potentially prone to a DoS attack. Now, image that he was cloaked by Freenode staff:

21:25 -!- lamer [n=user@unaffiliated/lamer] has joined #ubuntu

We know his nick, as is needed to communicate with him, but we know nothing of his domain or IP address. A DoS attack on this user would be ineffective.

Unaffiliated cloaks are handed out with no strings attached. The user is asked to follow a few basic rules before the cloak can be given, but if they are met, they are handed out freely and willingly. However, it would be much appreciated if the user would financially donate to Freenode. Such users are given a special cloak, part of "project cloaks". The following cloak would be applied if our user "lamer" above donated at the bronze level:

This cloak is a special cloak that can be worn with pride showing that you are helping Freenode keep up with necessary server maintenance and general overhead. There are many other cloaks that can be applied, if you are involved with a certain project. Ubuntu has such cloaks for approved members, which you have probably seen around the network:

21:25 -!- lamer [n=user@ubuntu/member/lamer] has joined #ubuntu

There are many, many other project cloaks that can be applied, such as Gentoo development, Wikipedia editing and even cooking. Regardless of the cloak, your domain/IP is hidden from the users on the network, effectively killing any chance for a personal DoS attack. If anything else, they look cool and show your involvement with a specific project.

Now, I'd like to move on to another topic, effectively securing your connection even further. The topic is avoiding a specific router exploit called the DCC exploit. Rather than go into the details of how it is executed, the DCC exploit is troublesome for large channels, as it causes massive quits from the channel, effectively flooding the channel. Large channels are getting better, and most routers have patched the bug through firmware updates, but there are still users that are being affected.

What happens in most channels, is if you are affected by this exploit, then usually you will be temporarily banned from the channel until you either patch your router's firmware, or connect to Freenode on a different port. While patching your router's firmware should be your first priority, it definitely isn't the easiest, and you could end up with a dead router if executed poorly. The easiest way to patch this bug is to connect to Freenode on port 8001 as the exploit only affects users on port 6667. Check your IRC client's documentation on how to connect to servers on different ports.Check your IRC client's documentation on how to connect to servers on different ports.

These two tools secure your connection on Freenode, making it pretty difficult to remove you from the network unless you're Freenode staff. While your connection is not secured via encryption, and still in plain text on the wire, unless connected to Freenode's hidden service via tor, you can rest assured that you'll stay connected, given the fact that you have a stable ISP.

I would HIGHLY recommend taking full advantages of these two services: acquiring a cloak, and connecting on port 8001, if you spend any amount of time on Freenode. Join #freenode for further information regarding these topics.

@Ori- We chatted about this on IRC, but I think that any password authentication, whether to NickServ or ChanServ should be encrypted. I don't know how that fits in the protocol, and a 100% encrypted connection through SSL introduces a heavy overhead and longer ping times, but the benefits far out weigh the necessary trouble.

Hey Aaron, thanks for this post; I follow the Ubuntu planet and followed your recommendations. I haven't been active on IRC for a bit, but I'm always online, so cloaking and re-porting were probably a good idea. Again, thanks.

[...] IRC and Freenode should take the time to read and implement these security features. Thanks Aaron! [http://www.pthree.org/2007/07/15/securing-your-connection-on-freenode/ Freenode Security by Aaron [...]